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DETAILED ACTION 

1 . This written action is responding to the amendment dated on 12/03/2008. 

2. Claim 65 has been amended. Claims 1-64 are previously presented. 

3. Claims 1, 4-6, 11, 32-34, 40-50, 53-54, and 56-65 have been submitted for 
examination. 


Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 1,4, 11, 32-34, 40-50, 53, 56, 58, 60-62, and 65 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Fink et al. (U.S. Patent 6,496,935) and 
Joyce (U.S. Patent 6,519,703). 
i. Referring to Claims 1. 49. 50. and 62: 

As per Claim 1 , Fink et al. disclose an apparatus comprising: 
a firewall [(fig. 1)] configured to: 

receive data packets over a first network [Packets which are permitted 
to pass through gateway 15 from external network 14 are then 
received by one of a plurality of protected nodes 20 (lines 335-37, 
Col. 5)]; 
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classify tlie received data pacl<ets based on tine contents of the data 
pacl^ets into pacl<ets of a first type and second type [inspects the 
contents of such packet or packets (line 67, Col. 6). Pre-filtering 
module 30 also preferably features a classification engine 38, 
including a data processor, for at least partially analyzing the 
information from the packet (lines 4-6, Col. 8)]; 
Finl< et al. do not expressly disclose the remaining limitations of the 
claim. However, Joyce discloses packets which cannot contain virus 
and packets which can contain a virus and the virus scanning engine for 
testing if the packet contains virus [Prior to use, heuristic firewall 10B 
is trained to perform specific desired tasks. In this embodiment, 
for example, a first heuristic stage 36 is trained to recognize 
absolute high-confidence traffic, computer virus and Trojan 
signatures, denial-of-service attack signatures, and other computer 
security exploit signatures. After training and during use, if 
heuristic stage 36 clears a packet stream with a "high-confidence" 
rating (i.e., an analysis of the packets 22 by heuristic stage 36 
results in a high level of confidence that the packet stream does 
not contain threats that heuristic stage 36 is trained to detect), 
buffer 24 releases the packets into a secured channel 38 directly 
into network 30. If heuristic stage 36 processing results in only a 
lesser confidence rating (i.e., a "good-confidence" rating) that 
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threats are absent, buffer 24 releases the packets into a traditional 
firewall rule base 12 for standard processing. In this case, the 
output of traditional firewall rule base 12 is buffer 28. If heuristic 
stage 36 determines that the packet stream is certainly corrupted or 
otherwise undesired or that threats are detected ("poor- 
confidence"), buffer 24 shunts the packets elsewhere, for example, 
either out of the firewall (e.g., to a "bit bucket" such as /dev/null, 
where they are discarded) or it shunts them elsewhere 26 for 
additional processing. If heuristic stage 36 is not certain as to the 
validity of the packets ("marginal-confidence"), buffer 24 releases 
the packets into complex firewall rule base 14 for processing. The 
output of complex firewall rule base 24 is buffer 40 (lines 32-58, Col. 
3)]; and forward the data packets of the first type to a destination without 
testing by a virus scanning engine [rating (i.e., an analysis of the 
packets 22 by heuristic stage 36 results in a high level of 
confidence that the packet stream does not contain threats that 
heuristic stage 36 Is trained to detect), buffer 24 releases the 
packets into a secured channel 38 directly into network 30 (lines 
30-43, Col. 3)] and forward the data packets of the second type of a 
virus scanning engine for testing [buffer 24 shunts the packets 
elsewhere, for example, either out of the firewall (e.g., to a "bit 
bucket" such as /dev/null, where they are discarded) or it shunts 
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them elsewhere 26 for additional processing. If heuristic stage 36 
is not certain as to the validity of the packets ("marginal- 
confidence"), buffer 24 releases the packets into complex firewall 
rule base 14 for processing (lines 51-57, Col. 3). If heuristic stage 
36 rates packets 22 as either good-confidence or marginal- 
confidence, the packets are forwarded to another heuristic stage 
44. Heuristic stage 44 is pre-trained to look for temporal and other 
anomalies in packet streams including, but not limited to, one or 
more of the following: temporal attack signatures, frequency 
analysis, in-transit packet modification, forged-packet indicators, 
out-of-band (OOB) communications, and/or covert channel 
communications (lines 59-67, Col. 39)]. Fink at al. and Joyce are 
analogous art because they are from similar technology relating to 
information security and pacl<et scanning. It would have been obvious to 
one of ordinary sl<ill in the art at the time of invention was made to 
combine the system disclosed in Finl< et al. with Joyce since one would 
have been motivated to provide methods and apparatus for a heuristic 
firewall that can learn from and adapt to data flowing through them to 
better mitigate such security threats (lines 34-37, Col. 1 from Joyce). 
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As per Claim 49, it is a metliod claim that corresponds to the apparatus 
claim 1 . Therefore, Claim 49 is rejected for the same rationale as of 
Claim 1. 

As per Claim 50, it is storage medium claim that corresponds to the 
apparatus claim 1. In addition. Fink et al. disclose a computer program 
stored on a storage medium [The device comprising: (a) a memory 
for storing at least on instruction (lines 22-23, Col. 3). The method 
of the present Invention could be described as a series of steps 
performed by a data processor, and as such could optionally be 
implemented as software, hardware, firmware, or a combination 
thereof (lines 63-66, Col. 3)]. Therefore, Claim 50 is rejected for the 
same rationale as of Claim 1 . 

As per Claim 62, it is an apparatus claim that shares similar limitations 
as of claim 1. In addition. Fink et al. disclose memory and processor 
[The device comprising: (a) a memory for storing at least on 
instruction (lines 22-23, Col. 3). The method of the present 
invention could be described as a series of steps performed by a 
data processor, and as such could optionally be implemented as 
software, hardware, firmware, or a combination thereof (lines 63-66, 
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Col. 3)]. Therefore, Claim 62 is rejected for the same rationale as of 
Claim 1. 

ii. Referring to Claims 4, 53, and 58: 

As per Claim 4, Fink et al. and Joyce disclose the apparatus of claim 1 

comprising: 

wherein the classifying comprises determining that data packets of the 
first type contain real time data [(lines 1-5, Abstract and lines 32-39, 
Col. 3)]. 

As per Claim 53, the rejection of claim 50 is incorporated. In addition, 
Claim 53 encompasses limitations that are similar to those of Claim 4. 
Therefore, it is rejected with the same rationale as of Claim 4. 

As per Claim 58, the rejection of claim 49 is incorporated. In addition, 
Claim 58 encompasses limitations that are similar to those of Claim 4. 
Therefore, it is rejected with the same rationale as of Claim 4. 

ill. Referring to Claim 1 1: 

As per Claim 1 1 , Fink et al. and Joyce disclose the apparatus of claim 1 , 
further comprising a buffer configured to store the data packets of the 
second type while the virus scanning engine is testing the data packets 
to detect a virus [(lines 39-65, Col. 2 from Joyce)]. 

iv. Referring to Claims 32. 56. and 60: 
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As per Claim 32, F'mk et al. and Joyce disclose the apparatus of claim 1 , 
wherein the firewall is configured to receive from a packet classification 
database, information defining the first and second types of data packets 
[(lines 4-7 and lines 38-41, Col. 8 from Fink et al.)]. 

As per Claim 56, the rejection of claim 50 is incorporated. In addition, 
Claim 56 encompasses limitations that are similar to those of Claim 32. 
Therefore, it is rejected with the same rationale as of Claim 32. 

As per Claim 60, the rejection of claim 49 is incorporated. In addition, 
Claim 60 encompasses limitations that are similar to those of Claim 32. 
Therefore, it is rejected with the same rationale as of Claim 32. 
V. Referring to Claim 33: 

As per Claim 33, Fink et al. and Joyce disclose the apparatus of claim 
32, further comprising: 

a virus scanning engine configured to receive from a virus detection 
database, programming Information controlling the testing of the data 
packets of the second type by the virus scanning engine [(lines 30-40, 
Col. 2 from Joyce)], 
vi. Referring to Claim 34: 

As per Claim 34, Fink et al. and Joyce disclose the apparatus of claim 1, 
further comprising: 
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a virus scanning engine configured to receive from a virus detection 
database, programming information controlling the testing of the data 
packets of the second type by the virus scanning engine [(lines 30-40, 
Col. 2 from Joyce)]. 

vii. Referrinp to Claim 40: 

As per Claim 40, Fink et al. and Joyce disclose the apparatus of claim 1 , 
further comprising configured to alert the destination upon detection of a 
virus in the data packets [(lines 61-67, Col. 4 from Joyce)]. 

viii. Referring to Claim 41: 

As per Claim 41, Fink et al. and Joyce disclose the apparatus of claim 1 
wherein the destination is a local area network [protected network 12 
(Fig. 1 from Fink et al.)]. 

ix. Referring to Claim 42: 

As per Claim 42, Fink et al. and Joyce disclose the apparatus of claim 1 
wherein the destination is a personal computer [protected node 20 
(Fig. 1 from Joyce)]. 

X. Referring to Claim 43: 

As per Claim 43, Fink et al. and Joyce disclose the apparatus of claim 1, 
wherein the destination is a second network [protected network 12 
(Fig. 1 from Fink et al.)]. 

xi. Referring to Claim 44: 
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As per Claim 44, F'mk et al. and Joyce disclose the apparatus of claim 1 , 
wherein the first network is a wide area network [external network 14 
(Fig 1 from Fink et al.)]- 

xii. Referring to Claim 45: 

As per Claim 45, Fink et al. and Joyce disclose the apparatus of claim 
44, wherein the wide area network is the Internet [External network 14 
could optionally be the Internet, for example (lines 28-29, Col. 5 
from Finket al.)]. 

xiii. Referring to Claim 46: 

As per Claim 46, Fink et al. and Joyce disclose the apparatus of claim 1 , 
wherein the destination comprises an Internet service provider 
configured to connect coupled to a gateway, 

a modem configured to connect to the Internet service provider, and one 
of a local area or personal computer configured to connect to the modem 
[(Fig. 1 from Fink et al.) and (lines 50-55, Col. 4 from Joyce)]. 

xiv. Referring to Claim 47: 

As per Claim 47, Fink et al. and Joyce disclose the apparatus of claim 1, 
further comprising a virus scanning engine configured to decode the 
data packets during the testing of the data packets [(lines 69-67, Col. 3 
from Joyce) and (lines 4-11, Col. 7 from Fink et al.)]. 
XV. Referring to Claim 48: 


Application/Control Number: 1 0/059,1 82 Page 1 1 

Art Unit: 2439 

As per Claim 48, F'mk et al. and Joyce disclose the apparatus of claim 
47, wherein the virus scanning engine is configured to function functions 
as a proxy for a destination processor configured to receive which 
receives the data packets [(Fig. 1 from Fink et al.) and (lines 50-55, 
Col. 4 from Joyce)]. 

xvi. Referring to Claim 61: 

As per Claim 61, Fink et al. and Joyce disclose the method of claim 49, 
wherein the classifying is performed by a firewall [(lines 6-8, Col. 5; 
lines 65-67, Col. 6; lines 4-7, Col. 8 from Fink et al.)]. 

xvii. Referring to Claim 65: 

As per Claim 65, Fink et al. and Joyce disclose a computer program in 
accordance with claim 49, wherein the classification is performed by a 
firewall [(lines 30-40, Col. 2 and lines 32-58, Col. 3 from Joyce)]. 


5. Claims 5, 57, 59, and 63-64 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Fink et al. (U.S. Patent 6,496,935) and Joyce (U.S. Patent 
6,51 9,703) and further in view of Lee (U.S. Patent 7,047,561 ). 
i. Referring to Claims 5, 57, 59, and 63-64: 

As per Claim 5, Fink et al. and Joyce disclose the apparatus of claim 4. 
Fink et al. and Joyce further disclose wherein the classifying comprises 
determining that data packets of the first type as in Claim 1. Fink et al. 
and Joyce do not expressly disclose the packets are part of an audio or 
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video data stream. However, Lee discloses the packets are of video or 
audio content [(lines 58-62, Col. 1 and lines 36-39, Col. 5 from Lee)]. 

Finl< et al., Joyce, and Lee are analogous art because they are from 
similar technology relating to Internet security regarding to data 
communications. It would have been obvious to one of ordinary skill In 
the art at the time of invention was made to modify Fink et al. and Joyce 
with Lee et al. to have the video or audio data in the packet(s) 
communicating in the network environment since one would be 
motivated to have a firewall for use in association with real-time Internet 
application (lines 7-8, Col. 1 in Lee). 

As per Claim 57, the rejection of claim 53 is incorporated. In addition. 
Claim 57 encompasses limitations that are similar to those of Claim 5. 
Therefore, it is rejected with the same rationale as of Claim 5. 

As per Claim 59, the rejection of claim 58 is incorporated. In addition. 
Claim 59 encompasses limitations that are similar to those of Claim 5. 
Therefore, it is rejected with the same rationale as of Claim 5. 

As per Claim 63, the rejection of claim 62 is incorporated. In addition. 
Claim 63 encompasses limitations that are similar to those of Claim 5. 
Therefore, it is rejected with the same rationale as of Claim 5. 
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As per Claim 64, tlie rejection of claim 49 is incorporated. In addition. 
Claim 64 encompasses limitations that are similar to those of Claim 5. 
Therefore, it is rejected with the same rationale as of Claim 5. 

6. Claims 6 and 54 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Fink et al. (U.S. Patent 6,496,935) and Joyce (U.S. Patent 6,519,703) and further 
in view of Lyie (U.S. Patent 6,886,012). 
i. Referring to Claims 6 and 54: 

As per Claim 6, Fink et al. and Joyce disclose the apparatus of claim 1 . 
Fink et al. and Joyce disclose the firewall as in Claim 1 . Fink et al. and 
Joyce do not expressly disclose the remaining limitations of the claim. 
However, Lyie discloses stop reception of a data stream containing the 
data packets in response to an alert from the virus scanning engine 
[(lines 28-34, Col. 14 from Lyie)]. 

Fink et al., Joyce, and Lyie are analogous art because they are from 
similar technology relating to Internet security regarding to data 
communications. It would have been obvious to one of ordinary skill in 
the art at the time of invention was made to modify Fink et al. and Joyce 
with Lyie to have the various components in the gateway communicating 
with an alert message if the malicious code is detected, and to stop the 
data flow into the protected network in such a scenario since one would 
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be motivated to liave a way to sliare information about an attacl<, 
dynamically and without human intervention (lines 20-22, Col. 2 from 
Lyie). 

As per Claim 54, the rejection of claim 50 is incorporated. In addition. 
Claim 54 encompasses limitations that are similar to those of Claim 6. 
Therefore, it is rejected with the same rationale as of Claim 6. 


Note: Examiner has pointed out particular references contained in the 
prior arts of record and in the body of this action for the convenience of 
the applicant. Although the specified citations are representative of the 
teachings in the art and are applied to the specific limitations within the 
individual claim, other passages and figures may apply as well. 
Applicant should consider the entire prior art as applicable to the 
limitations of the claims. It is respectfully requested from the applicant, 
in preparing for response, to consider fully the entire reference as 
potentially teaching all or part of the claimed invention, as well as the 
context of the passage as taught by the prior arts or disclosed by the 
Examiner. 


Response to Arguments 

7. Applicant's amendment, filed on Dec. 03, 2008, has Claim 65 amended and 
Claims 1-64 previously presented. 

8. Applicant's remark, filed on Dec. 03, 2008, argues that independent claim 1 is 
patentably distinct over Fink in view of Joyce as Joyce does not disclose a 
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firewall configured to forward the data packets of a second type to a virus 
scanning engine for testing and Fink does not cure this deficiency. In addition, 
the prior art by Fink and Joyce do not teach or suggest the type of classification 
wherein the classifying comprises determining that data packets of the first type 
contain real time data as recited in Claims 4 and 58. 

9. Applicant's remark, filed on Dec. 03, 2008, further argues that the combination of 
Fink, Joyce, and Lee lacks a teaching or suggest of classifying data packets by 
determining whether the data packets includes content for real-time audio or 
video data streams, and provides the motivation for combining the cited prior art 
in merely impermissible hindsight fashion. 

1 ©.Applicant's remark has been fully considered, but found not persuasive based on 
the reasons below. 

Response to Argument (1): 

Examiner respectfully disagrees with Applicant's argument that Joyce does not 
disclose a firewall configured to forward the data packets of a second type to a 
virus scanning engine for testing and Fink does not cure this deficiency and Fink 
and Joyce do not teach or suggest the type of classification wherein the 
classifying comprises determining that data packets of the first type contain real 
time data as recited in Claims 4 and 58. First of all, Joyce specifically teaches 
the limitation of forwarding the data packets of the second type of a virus 
scanning engine for testing by disclosing that the packets with rating of good- 
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confidence or marginal-confidence (2nd type data pacl<et) is sent to lieuristic 
stage (stage 44 disclosed in Joyce), which is a pre-trained stage that looks for 
any anomalies including temporal attack signatures (scanning for virus-related 
information) or packet modification (see lines 51-67, Col. 3 from Joyce). Joyce 
further discloses the data packets can be of the first type (high-confidence rating) 
and the data packets are packet stream that carries information for 
communications (see lines 29-42 and 61-67, Col. 3 from Joyce). The packet 
stream that carries information for communications, in this instance, would be 
qualified as a type of real time data since claim limitation has not specifically 
define what type of data is considered as real time. Thus, contrary to Applicant's 
argument, the combination of Fink and Joyce still meets with the recited 
limitations presented in the independent claims as well as the dependent claims 
4 and 58. 

Response to Argument (2): 

In response to Applicant's argument that the combination of Fink, Joyce, and Lee 
lacks a teaching or suggest of classifying data packets by determining whether 
the data packets includes content for real-time audio or video data streams, and 
provides the motivation for combining the cited prior art in merely impermissible 
hindsight fashion, it must be recognized that any judgment on obviousness is in a 
sense necessarily a reconstruction based upon hindsight reasoning. But so long 
as it takes into account only knowledge which was within the level of ordinary 
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skill at the time the claimed invention was made, and does not include knowledge 
gleaned only from Applicant's disclosure, such a reconstruction is proper. See In 
re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). Since the prior art 
by Joyce discloses the data packets are of first type or second type (whether 
type of data packets are rated with "high-confidence" or "good-confidence or 
marginal-confidence") and the prior art by Lee discloses the use of a firewall in 
associated with real-time communications (e.g., such as voice over internet 
protocol) (see lines 1-3 of abstract from Lee), the combination of the cited prior 
art has, contrary to Applicant's assertion, met with the recited limitations. 
Furthermore, since the cited prior art is related to firewall packet filtering and 
inspection rules that specify which type of packets are to be passed and which 
type are to be blocked (i.e., see liens 34-45, Col. 4 from Lee), the motivation to 
combine the cited prior art is to have the firewall disclosed in Lee utilized in a 
manner that is in association with real-time Internet application (see lines 7-8, 
Col. 1 in Lee). Such a system, as pointed out explicitly by Lee, provides an 
advantage in optimizing the processing speed through the use of the packet filter 
operating at the network layer (see lines 21-31 , Col. 2 from Lee). 

Based on the reasons set forth in the responses above, the rejections to the 
currently pending claims are to be maintained. Applicant is reminded that 
modification to clarify the independent claim limitations is necessary for further 
consideration. 
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Conclusion 

1 1 .Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant 
is reminded of the extension of time policy as set forth in 37 CFR 1 .1 36(a). 
A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory 
action is not mailed until after the end of the THREE-MONTH shortened statutory 
period, then the shortened statutory period will expire on the date the advisory 
action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will 
the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

i. Shanklin (U.S. Patent 6,578,147) disclose various embodiments of a 
method and system for detecting unauthorized signatures to or from a local 
networ[<. Multiple sensors are connected at an internetworl<ing device, 
which can be a router or a switch. The sensors operate in parallel and each 
receives a portion of traffic through the internetworking device, at a session- 
based level or at a lower (packet-based) level. Depending on the type of 
internetworking device (router or switch) the load balancing mechanism that 
distributes the packets can be internal or external to the internetworking 
device. Also depending on the level of packet distribution (session-based or 
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packet-based), the sensors share a network analyzer (if session-based) or 
both a network analyzer and a session analyzer (if packet-based). 


12. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Yin-Chen Shaw whose telephone number is 571- 
272-8593. The examiner can normally be reached on 8:15 to 4:15 M-F. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on 571-272-4063. The fax phone 
number for the organization where this application or proceeding is assigned is 
571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR 
only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 


Y.C. Shaw 
Mar. 04, 2009 

/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2434 


